1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
|
{{#> layout }}
<div class="about">
<center><h2><a href="/about">About</a> | <a href="/about/news">News</a> | <a href="/about/usage">Usage</a> | <a href="/about/faq">FAQ</a> | <a href="/about/stats">Stats</a> | Privacy</h2></center>
<h3>Name and contact details</h3>
<p>
<span class="brand">keys.openpgp.org</span> is a community effort.
You can find more information about us, and our contact, details <a href="https://keys.openpgp.org/about">here</a>.
</p>
<h3>How we process data</h3>
<p>
The public keyserver running on <span class="brand">keys.openpgp.org</span> processes, stores, and distributes OpenPGP certificate data.
The specific way in which data is processed differs by type as follows:
</p>
<ul>
<li>
<h4>Email Addresses</h4>
<p>
Email addresses of individuals contained in <abbr title="Packet Tag 13">User IDs</abbr> are personal data.
Special care is taken to make sure they are used only with consent, which you can withdraw at any time:
</p>
<ul>
<li>Publishing requires double opt-in validation, to prove ownership of the email address in question.</li>
<li>Addresses are searchable by exact email address, but not by associated name.</li>
<li>Enumeration of addresses is not possible.</li>
<li>Deletion of addresses is possible via simple proof of ownership in an automated fashion, similar to publication, using the <a href="https://keys.openpgp.org/manage">“manage“ tool</a>. To unlist an address where this isn't possible, write to support at keys dot openpgp dot org.</li>
</ul>
<p>
This data is never handed collectively (“as a dump“) to third parties.
</p>
</li>
<li>
<h4>Public Key Data</h4>
<p>
We process the cryptographic content of OpenPGP certificates - such as public key material, self-signatures, and revocation signatures – for the legitimate interest of providing the service.
</p>
<p>
This data is not usually collectively available (“as a dump“), but may be handed upon request to third parties for purposes of development or research.
</p>
<p>
If you upload your OpenPGP certificates to the service, you are the source of this data.
It is also possible for anyone who has your public OpenPGP certificate to upload them to this service – for example, if you have published them somewhere else, or sent them to someone. This does not include publication of Email Addresses, which are only used with explicit consent as described above.
</p>
</li>
<li>
<h4>Other User ID data</h4>
<p>
An OpenPGP certificate may contain personal data other than email addresses, such as User IDs that do not contain email addresses, or image attributes.
This data is stripped during upload and never stored, processed, or distributed in any way.
</p>
<p>
OpenPGP packet types that were not specifically mentioned above are stripped during upload and never stored, processed or distributed in any way.
</p>
</li>
</ul>
<p>
Data is never relayed to third parties outside of what is available from the public API interfaces, and what is described in this policy and on our <a href="https://keys.openpgp.org/about">about page</a>.
</p>
<p>
This service is available on the Internet, so anyone, anywhere in the world, can access it and retrieve data from it.
</p>
<h3>Retention periods</h3>
<p>
We will retain your email address linked with your OpenPGP certificates until you remove it.
We will remove your Public Key Data if you wish, but note that anyone can re-upload it to the service, in keeping with the “public” nature of this key material.
</p>
<p>
All incoming requests are logged for a period of 30 days, and only used as necessary for operation of the service.
IP addresses are anonymized for storage.
</p>
<h3>Your rights</h3>
<p>
You can withdraw consent to the processing of your email address at any time, or erase your email addresses, using the <a href="https://keys.openpgp.org/manage">“manage“ tool</a>.
</p>
<p>
You can obtain access to the personal data we process about you by viewing your OpenPGP certificates, or searching for your certificates using your email addresses, using this service.
</p>
<p>
You can delete your OpenPGP certificates by emailing support at keys dot openpgp dot org, but note that anyone can upload them again. If you object to having your certificate re-uploaded, email support at keys dot openpgp dot org and we will banlist your keys.
</p>
<p>
To exercise the right of portability, you can download your OpenPGP certificate using this service.
</p>
<p>
If you are in the EEA or UK, you also have the right to lodge a complaint with a supervisory authority, such as your local data protection authority.
</p>
</div>
{{/layout}}
|
